Added a check to see if proper crypto is available, and a warning if it is not.

2024-11-23 17:26:34 -05:00 · 2015-04-27 20:48:57 -04:00 · 2015-04-27 20:48:57 -04:00 · a10b0d36cc
commit a10b0d36cc
parent 042b20a101
2 changed files with 63 additions and 3 deletions
--- a/index.html
+++ b/index.html
@ -89,12 +89,23 @@
 		<div class="results_phrase_key" >Your passphrase is: </div>
 		<div class="results_phrase_value" ></div>

-		</div>
 	</div>

+	<div class="alert alert-danger bad_crypto" role="alert">
+	<span class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></span>
+	<span class="sr-only">Error:</span>
+	Whoa there! Your browser doesn't have the getRandomValues() function.
+	This means that dice rolls you make <em>will not be cryptogrpahically secure!</em><br/>
+	Please try another browser. Otherwise, proceed at your own risk.
+	</div>
+
+	</div> <!--/ row -->
+
 	<div class="row">
 		<div class="col-md-12">

+		<div class="message" ></div>
+
 		<h2 class="dice_num">
 		Number of Dice to roll:
 		</h2>
@ -166,10 +177,20 @@ By all means, feel free to do so.  LastPass is an excellent product and I highly
 If, on the other hand, you prefer to be able to actually remember your 
 passwords, I recommend Diceware or a similar system.

+
+<h3>FAQ: Are these dice roles cryptographically secure?</h3>
+
+Yes, insofar as we're using the getRandomValues() function in Javascript, and you trust that your
+browser and computer have not been compromised or otherwise tampered with.  Keep in mind that a not-so-theoretical attack
+would be for an attacker to compromise the random number generator on your computer so that
+anything that is encrypted (or passkeys generated) would be suspectible to less intense cryptoanalysis.
+
+
 <h3>FAQ: Is the source available?</h3>

 Yep!  You can grab a copy at <a href="https://github.com/dmuth/diceware">https://github.com/dmuth/diceware</a>

+
 <h3>Who built this? / Contact</h3>

 My name is <a href="http://www.dmuth.org/">Douglas Muth</a>, and I am a software engineer in Philadelphia, PA.
--- a/main.js
+++ b/main.js
@ -3,14 +3,48 @@
 */
 (function() {

+
+/**
+* Return true if we have a function that returns cryptographically random 
+* values. False otherwise.
+*/
+function i_can_has_good_crypto() {
+
+	if (window.crypto && window.crypto.getRandomValues) { 
+		return(true);
+	}
+
+	return(false);
+
+} // End of i_can_has_good_crypto()
+
+
 /**
 * Roll a die.
 *
 * @return integer A random number between 1 and 6, inclusive.
 */
 function die_roll() {
-	return(Math.floor(Math.random() * 6) + 1);
-} 
+
+	var retval;
+
+	if (i_can_has_good_crypto()) {
+		var a = new Uint32Array(1);
+		window.crypto.getRandomValues(a);
+		retval = (a[0] % 6) + 1;
+
+	} else {
+		//
+		// Fall back to something way less secure.  The user has already 
+		// been warned.
+		//
+		retval = Math.floor(Math.random() * 6) + 1;
+
+	}
+
+	return(retval);
+
+}  // End of die_roll()


 /**
@ -246,6 +280,7 @@ jQuery("#roll_dice").on("click", function(e) {

 });

+
 //
 // If we're not on a mobile, bring in the GitHub ribbon.
 //
@ -253,6 +288,10 @@ if (!is_mobile()) {
 	jQuery("#github_ribbon").fadeIn(1000);
 }

+if (!i_can_has_good_crypto()) {
+	jQuery(".source .bad_crypto").clone().hide().fadeIn(800).appendTo(".message");
+}
+
 //
 // Load our wordlist.
 //